Hacker finds Facebook backdoor leaking usernames and passwords
The use of bounty programs to track down security vulnerabilities in websites and software is increasingly common these days, and it's a tactic employed by Facebook. One bounty hunter -- or penetration tester -- hacked his (or her… they are anonymous) way into the social network and made the shocking discovery that someone had already installed a backdoor.
Orange Tsai managed to compromise a Linux-based staff server and found there was already a piece of malware in place syphoning off usernames and passwords. These account details were being transmitted to a remote computer, and after revealing this to Facebook, Tsia pocketed $10,000 as a reward.
Facebook says that the malware was installed by a security researcher who was trying to earn themselves a bounty. Tsai, who works for Devcore in Taiwan, has provided a detailed write-up of what poking around Facebook servers revealed. Using a reverse lookup, Tsia discovered the existence of files.fb.com which was running Accellion's Secure File Transfer service which is known to suffer from certain vulnerabilities.
Using an SQL injection vulnerability, Tsai was able to execute remote code on the server and gain control of it. It was at this point that password-stealing PHP scripts were found to be present.
In a statement, Facebook security engineer Reginaldo Silva said:
We're really glad Orange reported this to us. In this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security.
We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.
Facebook stresses that no user information was compromised by the backdoor.